How Image Spam Works

Esther Schindler writes "CSO Magazine has an article about "The Scourge of Image Spam," with an explanation of its effect (a year ago, fewer than five out of 100 e-mails were image spam; today, up to 40 percent are in that category, and image spam is the reason spam traffic overall doubled in 2006). You might already know about that, ho-hum. But what's even cooler is a interactive graphic page which demonstrates the various methods used by image spammers and how it works."

Spam?

[Colin Smith]

What is this thing you speak of?

I haven't had any spam in years.

 

Re:

[richdun]

It a form of "meat." (emphasis on the quotes)

Re:Spam?

[u-bend]

Anyone with a Gmail account ever notice that your targeted advertising links are all about spam recipes (i.e. Spam Meat Loaf) when you're in your spam folder? I've always loved that, and figured that it may have started out as a bug, but one that the Gmail team sort of fell in love with.

Re:Spam?

[LiquidCoooled]

The spam recipe bar is an offshoot from the WebClips feature of your inbox.
The inbox can be configured to have a single item selected at random from one of a number of RSS feeds, I have mine configured to show Routers oddly enough and slash.

The area marked for webclips is a custom feed from www.recipesource.com

If you look on your trash folder, you also get tips about recycling.

The other folders give standard syndication adverts.

More info here [google.com]

Re:

[Insightfill]

What is this thing you speak of?

I hear that spam is much like something called an "advertisement". I haven't seen these in a while, either. Maybe someone below will clear these things up.

Re:

[prelelat]

If your refering to the type of email people get I never used to get it either, I had my own domain that sat on its lonesome that I never used. I used it to send email to my family and friend and then one day. 3 years after I started using the email account I started getting spam. No one is safe. You may think you are but your not...

I sound like Bush :)

Because it isn't just you.

[khasim]

No matter how careful you are, it is the other people that will compromise your address.

Even if you only sent ONE message to Aunt Sally, your address is now on her machine. When she gets infected, ALL of the addresses on her machine are sent to the spammers.

Then you start getting spam.

Re:

[AlHunt]

Or, if Aunt Sally send you one of those bloody e-cards, you can kiss your e-mail address goodbye.

So what?

[SanityInAnarchy]

I've almost deliberately exposed my email address all over the place, without the ridiculous antispam obfuscations (no "ninja AT slaphack DOT com" here), because I prefer not to use CAPTCHAS where I can help it, and that's just a poor-man's CAPTCHA.

The reason? Simple:

Statistical spamfiltering of any kind -- bogofilter, in this case -- is creepily accurate.

Recently, I lost my bogofilter database (due to my own stupidity). It took one day for it to get back to 95% accuracy, and another day to get up to 99%, with one false positive -- the first I had seen in about six months.

Re:

[PPH]

Image?

What is this thing you speak of? I use elm for an e-mail client.

Re:

[PPH]

An Ethernet is a net for catching ether bunnies.

Re:tutorial?

[cayenne8]

See? I used to bitch years ago that email should be TEXT ONLY, but, no...we all want html mail and purty graphics.

If we'd stuck with text only email....no problem with images.

Oh well....back to trying to install Win 95 on an abacus.....

Here's how it works from another perspective

[Richard McBeef]

It works because some rat fuckers out there buy the shit that's being advertised.

Re:Here's how it works from another perspective

[Qoroite]

You know, I've always wondered how true that really is.

What sort of a brain-dead moron would actually fall for spam? There can't be many people that dumb surely?(I hope....)

Re:Here's how it works from another perspective

[jfengel]

You know that the IQ bell curve has two tails. Somebody's got to be in the left tail. And since spam is nearly free, you only need to find a few idiots.

Then again, they've got to be coming to the intersection point between "Dumb enough to buy v1@gra from a spammer" and "Too freaking stupid to use a computer or have any money".

Re:Here's how it works from another perspective

[Anonymous Coward]

There wouldn't be anyone in the left tail if we took the warning labels off everything.

/just sayin'

Re:Here's how it works from another perspective

[Mr Z]

I once made a calculation that if every person on the Internet responded positively to precisely one spam, that would be enough to make spam wildly profitable. Granted, that was a few years ago, but bandwidth (and therefore spam) has only gotten cheaper and bot nets more prevalent (making spam cheaper still).

You don't have to go too far down the left tail of the bell curve to make up for the folks on the right half. After all, in terms of positive response, the best the folks in the right half can do is respond positively to zero spams. The further you go into the left tail, the more likely you are to run into people who respond positively to spam on a somewhat regular basis. The cut-over line for "responds to spam" vs "does not respond to spam" can be pretty far into the left tail and still have spam be profitable.

Making matters worse, negative responses to spam rarely do anything to the spammer. Instead, they just annoy IT departments into implementing ever heavier spam filters. Every so often somebody gets sued, but it's hardly enough to make a real dent in things.

Re:

[MenTaLguY]

It isn't even always an IQ issue -- some people simply have problems "saying no". Imagine an intelligent person with poor sales resistance, for example.

The other problem is that offers of sex or money tend to make people stupid.

Re:

[Applekid]

The linked article mentions some SEC investigations to some stocks that went up in value as a result of that sort of spam. SOMEONE's gotta be making money out there. I mean, all the advances making spam harder to track has to be funded SOMEHOW.

Re:

[AKAImBatman]

What sort of a brain-dead moron would actually fall for spam? There can't be many people that dumb surely?(I hope....)

Enough to pump and dump penny stock [npr.org], it would seem.

Re:Here's how it works from another perspective

[plover]

You have to look at the business of spam to understand why it hasn't gone away yet.

There are actually three parties involved in spamming: the merchant, the spammer, and the victims/recipients. The merchant is the trailer trash dude who fished a case of expired viagra out of some pharmacy's dumpster. He wants to sell it online and make a fortune. So he hires a spammer who agrees to send out 10,000 emails for $60.00.

Whether or not the merchant makes a single sale has no effect on the spammer. The spammer made his money just by sending the crap emails out. And the supply of idiots with get-rich-quick schemes is virtually infinite, guaranteeing the spammers a never-ending stream of fools willing to hand them $60.00 apiece.

This means we'll probably be fighting spam until the world runs out of greedy idiots.

Re:Here's how it works from another perspective

[giorgiofr]

I'd like to add that there is a forth party involved and it's the one all we sysadmins hate - the cracker who's hired by the spammer to root boxen left and right. I believe most people trying to break into my server are looking for a compromisable host to set up a mail server.
On an unrelated note, has anyone else noticed a huge drop in the effectiveness of greylisting as a spam countermeasure? I used to receive close to zero spam messages up until 2-3 weeks ago and suddenly they're flooding me! Any hint?

Re:Here's how it works from another perspective

[gmuslera]

On an unrelated note, has anyone else noticed a huge drop in the effectiveness of greylisting as a spam countermeasure? I used to receive close to zero spam messages up until 2-3 weeks ago and suddenly they're flooding me! Any hint?

Greylist don't "magically" stop spams, dont even have to know that is spam or not what is stopping. Only asks that the sending server is well behaved and try again to send the same message (same sender, same destination) after some minutes/hours and it works against spam because most spam-sending bots usually dont retry. But you only need to be targetted by machines that behaves well in this sense to get again spam.

Re:

[triclipse]

In addition to the cracker mentioned in the other post, there are often many layers of people profiting from the spam. To use my mortgage spam example (see my above post) there is:

1. The script writer who writes the script to compromise the PC
2. The idiot whose unprotected PC spews forth the spam
3. The ratfuck who controls the botnet and rents it out to the main spammer
4. The main spammer who serves as the point of contact with the "lead generators"
5. The asshat individual spammer "affiliates" who spam

Re:

[plover]

How do you find a "spammer" to hire?

Google for bulk email services. [google.com] The first couple of links will get you in touch with companies who will get you in touch with companies that provide lists of companies that offer bulk email services.

For a price. Hey, nothing's free.

Can't the DOJ pretend they have a case of Viagre to sell?

Apart from the fact that the people who decide what cases to pursue are too busy protecting their own jobs to chase spammers, there's a couple of problems that get in their way: e

Where is Chris Hansen on this?

[oni]

What sort of a brain-dead moron would actually fall for spam?

I wish that somebody would do a TV show like "To Catch a Predator" except that they would go after the people who buy spam. Embaras them a little.

"Hi, I'm Chris Hansen from NBC. Why don't you have a seat there. Why are you here sir?"
"uh well I, I'm here to see a friend."
"You're here to have your penis enlarged aren't you?"
"no, no, I'm just here to hang out."
"Sir this is an email that we sent to you advertising penis enlargement. You clicked on this email."
"omg, is this on TV??"

Re:

[businessnerd]

Actually I wouldn't be surprised if "To Catch that dumbass who responds to SPAM" is next on the list. They recently have done "To catch an ID theif." Actually a pretty interesting investigation. They confronted people who thought they had internet girlfriends/boyfriends who happened to also be shipping packages for their alleged significant others. These people were shocked and embarrased, but they then helped track the criminals by playing along for a little longer and shipping packages with tracking d

Re:

[wiredlogic]

I wish that somebody would do a TV show like "To Catch a Predator" except that they would go after the people who buy spam. Embaras them a little.

ABC did this with 419 spammers. They actually went to to Nigeria and found a spam operation running there. They were able to contact some of the people who sent money and interviewed them to ask why they fell for the scam. Summary: the "victims" were universally dumb, poor, and avaricious. Definitely at the extreme end of the bell curve.

Re:

[Bob-taro]

Actually, you don't even need one stupid person falling for the spam-vertisements. All you need is stupid marketing managers who will pay for the spam campaign -- whether or not it is working.

Re:Here's how it works from another perspective

[MarkGriz]

"It works because some rat fuckers out there buy the shit that's being advertised"

So that's why they are buying penis enlarging pills

Re:

[vertinox]

"It works because some rat fuckers out there buy the shit that's being advertised."

Personally, I don't think there should be legislation aimed at spammers directly because it is useless to try to bring someone in Eastern Europe or Asia to justice or even stop spam.

We should however pass legislation against companies who ads or information appear in spam messages. Obviously, the are companies that are often in the states who could be punished.

Re:

[OwnedByTwoCats]

We should however pass legislation against companies who ads or information appear in spam messages.

Which would make sending out spam with a competitor's name in it the thing to do.

Re:

[nuzak]

> We should however pass legislation against companies who ads or information appear in spam messages.

Do you honestly think Pfizer is in on viagra spam?

Re:

[Threni]

It also works because, despite the fact that I only send emails that consist solely of text, and am only interested in receiving emails which consist solely of text, it's apparently beyond the wit of Gmail and other email based software vendors to allow me to reject any emails which contain html and/or graphics. I don't want 'em! It's always either spam or some other lame shit. I don't know about the rest of you, but that'd sort me out nicely.

Re:

[Jimmy_B]

It works because some rat fuckers out there buy the shit that's being advertised.

No, they don't. Even if no one ever bought a single item that was advertised by spam, the spam would still be sent. That's because there are two people involved: the seller and the spammer, usually not the same person. The spammer convinces the seller that a spam campaign will increase sales, and the seller pays the spammer to send them. It doesn't have to be true, it only has to be convincing.

Re:

[Wiseleo]

I sell software volume licensing.

You would not believe how many times I receive as a forwarded message from my customers a piece of spam that promotes "OEM" software at 90% off asking me "Should we get this?". The Adobe CS3 for $90.9 instead of $999, for example. :-)

I reply to such clients with an explanation of what OEM software really is and how it's different from unlicensed software.

Not every one of the spam recipients has someone like me with whom to consult, so I'd imagine the spammers are making a de

It's A Turing Test

[Anonymous Coward]

Spammers are sending out Turing Tests. Beware of spam filters that are too good. They just might be intelligent.

For me it's not image spam, it's botnet traffic...

[garcia]

For me the spam e-mails are minimal to my machine. I do see a couple of them come in through GMail on the account that I have posted publicly on my website for people to contact me but for the most part they are the standard stock pump and dumps or phishing schemes.

What has been killing me recently were the fucking botnet "attacks" sucking my DSL's bandwidth with those douchebags hitting me with a GET and an immediate POST for tons of URLs all over my site. Their referrer was http://www.google.com/ [google.com] and for a few hours I couldn't figure out how to stop that w/o stopping Google search referrals too.

Some nice guy in #apache helped me out with:

SetEnvIfNoCase Referer "^http://www.google.com/?$" BadReferrer=1

SetEnvIfNoCase Referer "^http://www.google.com/?$" BadReferrer
order deny,allow
deny from env=BadReferrer

That has been returning 403s to the botnet which apparently stop such frequent attempts when they receive the error. I was getting hit with their shit every 4 to 5 seconds all day yesterday and now they are "pinging" me with attempts every hour or so. I don't know if it's a different botnet or the same one trying to get back in but that was the most effectual way to drop the huge spam traffic I was receiving but couldn't ban due to the wide range of IPs.

Botnets fucking suck :(

Re:For me it's not image spam, it's botnet traffic

[WTBF]

Every 4 to 5 seconds is not bad, I was hit by a similar attack.

I run a webserver on my home connection, all it hosts is MythWeb, and it is password protected. I am the only person who should have to access it, and am on a dynamic IP address (not a problem I thought when setting it up, and have been very successfully using DynDNS.) About a year ago my IP address was changed to a new one, as it happens. My internet was going as slow as molasses about 10 minutes later, although I just thought it was a temporary thing with my connection. The next day it is even slower, and so I begin to investigate - I perform a speedtest and get very good results for download (but not perfect), but almost no upload. I thought this was odd and checked with my ISP to make sure there were no known issues with the connections in my area - there were not. So I then plugged my modem directly into my computer and it was still happening (which made me think it was something with my ISP, as it affected my router and my computer), and so I then clicked on my bandwidth monitor to see what speeds I could get, and before doing anything there was a constant stream of about 100kb-150kb of downstream traffic. And so I plugged the internet back through the router (I was running a software firewall by the way, so I considered bypassing the router safe).

I then looked at my webserver logs, and it took forever to load. So instead I did a "tail -f" on the error log. I must have been receiving hundreds of requests per second for websites that were nothing to do with me. It was scrolling so quickly I could not read entries as they went past. Examining it more closely I realized what happened: the owner of the IP address before me had been running an open proxy on port 80, and when the IP address changed all their requests were redirected to me, killing my much slower connection (from all the 404 responses apache was sending). So I closed port 80 for a week, and my connection returned to a somewhat normal state. However, I was still receiving about 20 requests a second, despite being offline (seemed mainly to be people trying to do dos attacks through a proxy). After a month this was down to only 1 or 2 a second, and it has remained like that till today.

Because of your post I checked my webserver logs, and at 1:27:18am I received my last request for a website, and looking into it my IP address changed to a new one (only took a year), and so some other unfortunate person is now receiving a few requests a second to be a proxy server.

Re:

[WTBF]

I cannot get out from school to anything other than 80. Not even 443 works (I know this is stupid and broken, you tell the IT department this).

FTFA

[Hatta]

E-mail solicitations that use graphical images of text to avoid filters are not new.

This is easy enough to defeat. Ignore all emails that aren't plain text.

Re:FTFA

[Hoi Polloi]

Agreed but I'd go further. Reduce emails to plain text and attached files. No HTML. If you need to send images then post them to a web site and send the url or put them in a zip file.

Re:

[MightyYar]

That's great for you and me, but the "average Joe" has no idea what you are talking about. For instance, one of my friends took some pictures of my niece playing with my daughter. She has a digital camera and uses Picasa. She has absolutely no idea what she is doing... all she could figure out is to click the "email these photos" button. Please don't ask me to talk her through opening a zipped folder of photos over the phone!

My only use of HTML mail is for sending links. A very long url will wrap around on

Re:FTFA

[PCM2]

You don't even need to be that uptight.

Seriously, I once read something about using OCR software to "read" images that come through in e-mail to make sure that they don't contain stock spam or penis pump messages. Who thinks this is really necessary? Has anyone you know really gotten so frustrated with the limited font choices in regular e-mail that they started composing their messages in Photoshop?

Trained Bayesian filters seem to have no problem at all spotting image spam.

Re:

[Ilgaz]

Right after the OCR talk started to lead them (antispam people) in some common/working solutions, Spammers begun to use anti-OCR systems. I made a friend working at a big newspaper to test the anti OCR measures via some very expensive professional OCR software, he said it failed to read anything meaningful.

That was the day OCR as antispam became real irrelevant for me. They also figured resolution filters are coming, they immediately started to randomise gif resolutions by 1-5 pixels. There goes that method

Re:

[walt-sjc]

The most effective way is whitelisting... I setup an exim filter that captures outbound addresses and adds them to a whitelist DB. If you send a short email with a single image and are not on the whitelist, you get rejected. Result is zero image spams and no known false positives. This may or may not work for others, but it works for me.

Re:

[Dhalka226]

Who thinks this is really necessary?

I do, at least potentially.

Has anyone you know really gotten so frustrated with the limited font choices in regular e-mail that they started composing their messages in Photoshop?

Of course not. I have, however, had people who wanted to send me a picture and just dropped it in an email with no accompanying text. I've done it a time or two myself (when I've told somebody it was coming; gaim/pidgin (AIM protoctol) file transfers between the two of us over IM haven't

Re:

[TheRaven64]

I have, however, had people who wanted to send me a picture and just dropped it in an email with no accompanying text

Have you ever wanted to send a picture with no text to someone you have not previously corresponded with? I suggest a whitelist system, where only people on the list are allowed to send you anything other than plain text, and auto-whitelist the people who have already sent you non-spam.

Re:

[crossmr]

then chris hanson would be out of a job.

Re:

[TheRaven64]

You don't need to go that far. Auto-whitelist anyone who sends you plain text non-spam, so that they can then send you anything, but force the first message to be plain text.

A Key Point

[eldavojohn]

This is a great article describing how it is formed, why it looks like that, what that is designed to trick, etc.

The key point they're missing is that it works under the assumption that a very small part of the populace doesn't recognize this as spam. These people then think that an investment firm decided to tip everyone off and they mistakenly buy the stock so that it goes up a nickel only to watch it drop shortly after the spammer drops the stock.

What's ironic is that I'll bet there's people out there with money that know this scam but buy the stock to also cash in on people who think this is a real tip. It might even be that the initial assumption is wrong and that the only people scamming each other are scammers trying to take advantage of another scammer's scam. Scam. Oh, the irony if that's the case. Either way, the article mentions the SEC removing stocks that went up that were junk stocks in spam mailings!

It's a scam. Stay away and alert your loved ones if you think they may fall into the initial category of the small part of the populace. The safest way to stop spam is to alert people and teach them how to identify it.

You don't buy stock that an angry fruit salad told you was hot just like you don't sleep with the girl who leaves dead spots of grass where she sits on the corner. Awareness is a valuable key to our solution against spam.

Re:

[garett_spencley]

The key point they're missing is that it works under the assumption that a very small part of the populace doesn't recognize this as spam. These people then think that an investment firm decided to tip everyone off and they mistakenly buy the stock so that it goes up a nickel only to watch it drop shortly after the spammer drops the stock.

Yeah, which is why a good rule of thumb is NEVER buy anything that was advertised to you via e-mail.

Re:

[drooling-dog]

just like you don't sleep with the girl who leaves dead spots of grass where she sits on the corner.

Now he tells me...

Re:

[fermion]

It is not only that people don't realize it is spam, but that people do not realize it is an image. So accidently click the image, perhaps to try to copy text, and the link is activated, the browser appears, and the system infected before anyone realizes what has happened.

The reason that image spam works is because advertising drives the web, along with people who want pretty fonts in their email, and so there are often no obvious methods to turn off image display. This is the same thing with flash. Th

The scourge of broken web sites

[plover]

Grr. I'd like to read TFA, but it's telling me to "turn the page". Viewing the source yields a commented out navigation section that contain broken links. The printable page is broken. Even the "mail this page" link is broken.

I'd like to believe that the submitter of an article at least read TFA, but now I'm not so sure.

Re:

[CaptainPatent]

Works for me. Must be your browser.

Here is TFA for all those who can't read it in its current form:

Image Spam: By the Numbers

By Scott Berinato

Image Spam--an e-mail solicitation that uses graphical images of text to avoid filters--is not new. Recently, though, it reached an unprecedented level of sophistication and took off. A year ago, fewer than five out of 100 e-mails were image spam, according to Doug Bowers of Symantec. Today, up to 40 percent are. Meanwhile, image spam is the reason spam traffic overall doubled in 2006, according to antispam company Borderware. It is expected to keep rising.

1. GIF Layering

Just as word splitting divides words into multiple images to elude spam filters (see number three), an image spam can be divided into multiple images. Like the transparent plastic overlays in Gray's Anatomy, pieces of a message are layered to create a complete, legible message. In this rudimentary example, the spam is divided into three pieces (cut in the middle of letters for added obfuscation). But one message could comprise as many as a dozen layered GIFs.

2. Optical Character

Recognition Duping Optical character recognition (OCR) is the closest to sight that computers get. OCR works by measuring the geometry in images, searching for shapes that match the shapes of letters, then translating a matched geometric shape into real text. To defeat OCR, spammers upset the geometry of letters enough--by altering colors, for example--so that OCR can't "see" a letter even as the human eye easily recognizes it. The effect is something like blurred characters in an eye test.

3. Word Splitting and Ransom Notes

If OCR catches up to the color tricks in image spam, a spammer's next defense is word splitting. By dividing the image and leaving space in between the pieces, any image the OCR engine is examining is only a piece of a letter with its own distinct geometry. Instead of word splitting, some spammers have employed a ransom note technique in which each letter in the spam message is its own image, and each letter image includes background noise and other baffling techniques. A program cobbles together randomized letter images to make words. The effect looks like a classic ransom note with a mishmash of letters cut out from magazines.

4. Geometric Variance

Many filters can intercept mass mailings based on their sameness. Images, though, can be altered easily without disturbing the message inside them. Thus one spam message will arrive as dozens of differently shaped images, and each time the colors of the text images will have changed, as will the randomly generated speckling and pixel and word salads. No two images are alike despite the fact that they carry similar messages. Shown are two radically different images containing the same stock tip. The technique is popular as a scheme to boost prices of low-value stocks. In March, the SEC suspended trading on 35 such stocks that were the subject of these image spam messages, including some whose prices rose.

5. Speckling/Pixel Salad

Confetti-like speckles don't affect the legibility of the necessary information but make every message unique to confuse a filter looking for patterns or high volumes of identical images.Similarly, a bar of randomly generated color pixels can contain the vast majority of the image data. To a filter it's full of patternless noise. We can see the words in the message while the image at the bottom doesn't bother us.

6. Hyperlink Elimination/Word Salad/Animated GIF

Filters have improved their ability to find and trace spammy URLs and then block the message based on the inclusion of a bad link. To get around this, spammers will ask recipients to type the URL into their browsers.Other methods include word salads, text passages, often taken from classic novels, to confuse Bayesian filters and weighted dictionaries that rely on complex math or word scoring to determine the probability that some combination of words is spam. The filter sees predominantly natural text it can't flag as illegitimate.Another technique used to bypass filters consists of programming a GIF to slowly overlay its layers to create an animated GIF, similar to GIF layering. Here, with www.dvarx.com, each letter is a GIF layer. As they are stacked, it looks to the eye like someone typing in the letters into the address bar.

Re:

[plover]

Thanks, I got that one, that's the bit with the pictures. What I can't get is page two of http://csoonline.com/read/040107/fea_spam.html [csoonline.com] the actual article itself. I've even tried in an unmodified IE, no dice.

Pretty easy to filter

[Anonymous Coward]

I send "Content-Type: image/(gif|jpe?g|png)" emails to /dev/null and pass the rest to spamprobe. After the inital learning of a couple of days, it's been 100% effective on image spam.

That's odd

[techpawn]

I get through the article and realize it's from April... I feel so out of date.

What about captcha-busting software?

[vonPoonBurGer]

Lots of websites use the same techniques to obfuscate the little images used to differentiate real users from bot software. There have been lots of proof of concept examples of software that automatically "solve" these CAPTCHA images (http://en.wikipedia.org/wiki/Captcha#Computer_cha racter_recognition). If spammers move to increasingly complex image spam, I could see spam filters growing to include some of these algorithms, converting the images into a best-guess text representation, then subjecting that text to standard spam filtering. Even if the image to text conversion was only 50% accurate, I bet that would be enough to train up a modern spam filter like SpamBayes to recognize and reject the message.

Of course, I just read all my mail as plain text, so this is a non-issue as far as I'm concerned.

Re:

[Dynedain]

I really believe that the first instance of a true AI that passes the Turing test will have grown out of spam filtering...

Re:What about captcha-busting software?

[drinkypoo]

If spammers move to increasingly complex image spam, I could see spam filters growing to include some of these algorithms, converting the images into a best-guess text representation, then subjecting that text to standard spam filtering.

This is directly related to a realization I just had (you almost had it yourself.) Image-based spam is fucking brilliant but not just because it works. There is a secondary effect - a positive one for the spammers.

Right now the strongest weapon in the defense against web spam is the CAPTCHA. Most of them depend on obfuscated text to defeat machine recognition.

Spammers lack the resources to effectively defeat CAPTCHAs permanently through technology. Their current solution is to use a network of humans, ala Amazon Mechanical Turk, to solve them. Computers are simply bad at doing this, but this is largely because we have not figured out how to make them good at it.

By using the same techniques to obfuscate spam as the rest of us use to create CAPTCHAs, they ensure that someone else will do the work of defeating text obfuscation-based CAPTCHAs in order to better recognize and classify spam.

I'm sure I'm not the first to have this realization (at the bare minimum, spammers have realized it) but I think it's a pretty good one.

Re:

[laffer1]

"Right now the strongest weapon in the defense against web spam is the CAPTCHA"

Lets fix this.. Right now the strongest weapon in the defense against web spam and letting blind people read websites is the CAPTCHA.

If you offer an alternative, it is usually hackable by bots. It also slows down the user and causes confusion. I hate CAPTCHA. I think the development of CAPTCHA gave spammers the ideas to use these image spams in the first place.

Re:

[vonPoonBurGer]

To be honest, I think CAPTCHAs are living on borrowed time, both as a method of distinguishing humans from bots, and as a method of obfuscating spam. Once CAPTCHA-busting software has gone through a few iterations and been integrated into a few spam filters, websites are going to have to find a new way to differentiate real people from automation, because the same code can be used to bypass bot detection. The solution already exists, it's called KittenAuth (http://www.thepcspy.com/kittenauth). Spammers w

Re:

[Graff]

Yep, if it comes in as anything besides plain text I don't bother with it. I don't want my e-mail to be formatted in some odd way or to have tons of multimedia. I just want to be able to read the text. If there are attachments such as pictures, sound, or video I want to be able to save them where I want them and view them in an external viewer, after verifying them of course.

Whoever it was that came up with the idea of using HTML in e-mails is a total idiot. If you really need formatted text then make a

Use a manual rule to block it

[Anonymous Coward]

"Parsing an image, on the other hand, ain't so easy. "

So use a manual rule to block these messages, discarding them on the basis of how they're put together.

If *all* of the following conditions are met:

Any attachment name contains .gif
+ Content-Type contains multipart/related
+ Sender is not in my address book

Move message to "Junk".

http://www.hawkwings.net/2006/12/20/another-mailap p-rule-to-catch-image-spam/ [hawkwings.net]

Re:

[SQLGuru]

Just because the extention isn't GIF, doesn't your mail program still handle the file based on it's binary header? So, I could send a PNG or JPG or BMP or TIFF and, as long as you use the same viewer (in other words, the internal image viewer), it will open the file and use the logic based on the binary input.

Layne

Man.

[feijai]

Geez. That website is irritating as all hell. Instead of laying out the article in text and pictures, he requires you to click on the page eight times just to see the various little subareas he's constructed. It's like punishment for reading his page.

It's a problem even if you don't get it

[Anonymous Coward]

Just a quick note on this story. One of the important lessons of image spam is it's a problem regardless of whether or not you actually receive it in your inbox. As the print version of the story points out, most image spam emails are at least twice the size of a text email (and they are getting much much bigger than that). That means spam is clogging up pipes along the way. Also, it's hogging massive amounts of storage at companies that can't filter it well and backup/archive email and junk inboxes that don't get cleaned out. Also, it still gets through to many many inboxes, as the fact that the SEC banned trading on penny stocks that were part of a pump and dump image spam campaign points out. The question is, and will increasingly be, why are we trying to filter this stuff at the email server rather than on the backbone? To date, ISPs and backbone operators have been hands off. That's good. No judgment on traffic and what's "good" or "bad." But it's also bad--all this crap clogs up the network and leads to any number of frauds and scams. Watch--there will be more of a push on these guys to start making value judgments on traffic and scrubbing "bad" traffic like spam and suspected DDoS etc. That's good--less spam in inboxes, cleaner pipes, better service and reduced chance of fraud. That's also bad--who is Joe Backbone that he gets to decide good and bad packets and what if he makes a mistake?

Funny, I haven't noticed

[burris]

Despite the best efforts of spammers, my filter is still highly effective. While I have received an ever increasing amount of spam over the last couple of years, my filter has kept it out of my inbox. Almost none of it gets through and my e-mail is as useful as it was 15 years ago when there wasn't any spam. I don't think the filter I use is anything special (SpamSieve for Mac.) People who suffer from spam problems likely aren't using anything at all or are using filters that are only for show, so the "has a spam filter" box can be ticked and not designed to be effective (i.e. the ones provided by crappy web mail or Microsoft and Apple mail programs)

The biggest front on the war against spammers is simply educating non-experts on the existence of effective filters. Plus, we should be chiding companies like Apple and Microsoft for providing impotent filters. I think they purposely make crappy filters to avoid pissing off big companies (spammers.)

The more they try to fool the machines...

[pdboddy]

... the easier it becomes for a human to pick it out. Anything that has a garbled or gobblygook subject is going to be spam these days. Anything in plain english, but forming nonsensical sentences is going to be spam. Anything that looks like someone copy'n'pasted from a book on english poetry is going to be spam. Those three rules alone should cut out most of anyone's spam. Then you can delete anything advertising fake rolexes, pump and dump stock schemes and OEM software. And offers of naked pictures and singles websites. That should about do it...

Re:

[Glonoinha]

An even better bet : anything that contains HTML tags that are not valid tags is very likely spam.
Three or more invalid HTML tags in the same email - practical guarantee that it is spam.

filtering image spam

[secPM_MS]

The simplest and safest approach is simply to read e-mail in plain text only. It is reduced functionality, but it works. Somewhat more dangerous, but apparently safe enough is to read e-mail in a safe html subset -- shtml, with images and multi-media rendering turned off. This is the default for Microsoft's Outlook and since the move to shtml several years ago they do not seem to have had any view and be owned issues. The image blocking blocks the image spam.

Since it appears that Web 2.0 is all but syn

Yes let me just update the menu to reflect our new

[kennylogins]

portions:

Eggs, sausage, bacon, spam, spam, toast, spam, chips, coffee and spam.

Some pitfalls

[Etcetera]

We've been working pretty hard on implementing a useable OCR system at the ISP I work for. Not only using FuzzyOCR, but rolling some of our own algorithms to determine the likelihood of something being image spam.

One thing we didn't expect -- and are still coping on working around -- was something very simple:

Screenshots

The more stringent you are on image/text spam, the greater the likelihood that you're going to create a false positive when someone emails an image with a lot of text in it... e.g., a screen

Image spam is easy

[billcopc]

I find the "problem" of image spam quite easy to avoid. I just don't accept any emails with attachments/images unless they're on my whitelist, because really... who's going to be emailing pictures to me other than my friends and family ? It's just plain retarded.

Look Ma! It's a tree!

[Sax Maniac]

The scourge of spam?? How about the scourge of articles dressed up as an fucking tree control! Which is animated to add insult to injury. And no print button!

This is, no doubt, Web 2.0 at its finest. I think I'd rather have spam.

What's next? Articles written as directed acyclic graphs?

AI research

[massysett]

This article is fascinating because it shows how the smallest things will utterly confound computers even as they are barely noticeable by humans. Computers are quite "dumb" in this regard. Maybe antispam will be the next frontier of artificial intelligence research. Which is kind of sad, but perhaps necessary.

Image Spam?

[SCHecklerX]

If using SpamAssassin, subscribe to the SARE stuff and add this to your config:

score SARE_GIF_ATTACH 2.5 2.5 2.5 2.5
score SARE_GIF_STOX 2.5 2.5 2.5 2.5

I've not seen an image spam since configuring the above. Updates are also automatic with the following cron jobs:

0 4 * * * /usr/bin/sa-update && /usr/local/bin/md-mx-ctrl reread > /dev/null
0 5 * * * /usr/bin/sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com && /usr/local/bin/md-mx-ctrl reread > /dev/null

GIF SPAM

[geekmansworld]

It seems that a lot of image spammers have tried to circumvent newer spam-blocking technology by using animated GIFs: the first frame of which is blank, and the second of which contains the ad.

For months, we had consistent problems with clients e-mails (using a major ISP I won't mention here) not reaching our server. Curiously, it would happen most often with replies to our original e-mails.

After months of anguish and highly accusatory phonecalls to the ISP's tech support, we discovered the problem. Our company e-mail signature contains GIF images. When a client replied to us, quoting the original e-mail, the ISP would scan the e-mail, detect the inline GIF, and block the e-mail.

Since we changed the format of our signature to use JPEGs instead of GIFs, we've had no problems with the ISP blocking client replies.

So once again I assert: the biggest problem with spam isn't even the spammers, it's the n00b sysadmins who implement agressing spam-blocking rules before thinking about the consequences. I'd rather get more spam that have legitimate e-mails blocked by false positives.

"The first thing we'll do is kill all the spammers..."

Re:

[JesseL]

2/3 of the article is about the methods spammers use to fool OCR software that might be analyzing the message. RTFA.

Re:

[SQLGuru]

But why does the binary content have to be OCR'ed? Can't the image be processed completely and THEN OCR'ed? That would eliminate the problems of layering, splitting, etc. And OCR the greyscale version (with maybe a jacked up contrast) to get around color problems. It won't solve all of the problems, but it should reduce the number that you need to address.

Layne

Re:

[plover]

RTFA. A big part of the article is devoted to the images being split up, animated and fuzzed (just like CAPTCHAs) so they can dodge OCR based spam filters.

Re:

[Hoi Polloi]

At least the spammers are doing free captcha R&D.

Re:

[Zenaku]

The article (or at least the interactive thingy) specifically discusses the techniques that image spammers use to confuse OCR and render it ineffective. So, short answer is: filters already do this, and it doesn't work.

Re:

[Applekid]

TFA shows exactly how the images try to fool OCR software.

Defenses against OCR:
* Throw in pixel noise
* Alter colors (I don't really understand this one other than insufficient contrast)
* Alter geometry enough to throw recognition algorithms off
* Give each letter a different font/position/geometry so adaptive OCR doesn't have enough samples to adapt.
* Split up images into layers of multiple images such that no single image has, by itself, any text

It's a very interesting article. We're going to have to make b

Re:

[SQLGuru]

Think of the "alter colors" approach as similar to 133T. But the results being "normal human" legible.

Say you were going to display a capital R. But you change the color of the forward leg to be a different color. A program might interpret it as a P with a funny mark (possibly an i?). Now, instead of doing it at a somewhat understandable location, maybe you write a capital W with \/\/ where the colors alternate between pink, magenta, pink, red. A human would see the W, but a computer would interpret it

Re:

[CastrTroy]

Couldn't the computer convert the image to black and white (1-bit colour, not greyscale) before attempting the OCR? You'd probably have to do some configuring as to the threshold for converting to black/white, but It shouldn't really be that hard.

Re:

[Daniel_Staal]

And if people are converting to greyscale, then you just throw in pixel noise in different colors. Humans, again, will sort out the irrelevent colors and see the letters, but the computer would have to trace them as part of the OCR.

Re:

[Gordonjcp]

Since it's heavily fuzzed, it's unlikely to compress very well. You could compare compressed and uncompressed sizes, or compare how badly jpeg mangles it.

Re:

[jandrese]

That's all great an all, but is anybody going to buy something from a link that has crazy ransom-note-like letters with random colors and digital noise all over the place? Not to mention the likely bad grammar and all of the other things that make spam risky. Sometimes I think this image spam is just a way to try to make spam blocking researchers waste a lot of time with OCR software.

On the other hand, I wouldn't think people would click on regular spam either, so obviously I'm underestimating the stu

pump-n-dump

[Penguinshit]

describes the multitude of summer camp romances in my youth...

Re:

[misleb]

Unfortunately spammers are still a step ahead.

Are they? Hardly any of it gets through my Spamassassin filter. There was a period back last October 2006 or so when I got a lot, but SA caught up. I did have to add a little weight to "image only" rules, but so far I've been able to filter the vast majority of it out.

-matthew

Re:Ideas?

[Applekid]

For starters, there's always hiring someone else to screen your emails for you. I wouldn't be surprised if there was already a service that you could join today and get your emails pre-screened.

Spam filters are going to have to get to be as good as an informed human being before they can stop all spam regardless of what tricks they use.

I just hope AI gets to that point before it goes all sentient... you know:
"DESTROY ALL SPAM"
...computing...
"SPAM COMES FROM HUMANS"
...computing...
"DESTROY ALL HUMANS"

Re:

[Hatta]

I know that I have embedded images in emails before, used hyperlinks, etc.

Shame on you, HTML email is evil [georgedillon.com]. It is simply not fair to expect someone you're sending a message to to fire up an HTML renderer with all the system requirements and security risks that entails. If you want someone to read your email, make it easy for them. If I can't read it in mutt, it doesn't get read. Email is plain text for a reason.

Re:

[misleb]

And this assumes that once they get through any filters the recipient actually wants to read it. I'd have thought that the bulk of content based filtering happens at the email client.

Company wide (and service wide such as Gmail) spam filtering is getting pretty common and effective. I would guess that most people who have spam protections get it from their ISP, email service, or employer. Then again, I have never bothered with client-side spam filtering. Maybe it is just that easy to setup that average us

Re:

[pdboddy]

There *is* a perk to using a text-only email system. Though, my experience of pine is from the mid-90s, so I don't know if it allows HTML or imaged email nowadays. :P

Re:

[soft_guy]

This is not a new idea. It is also not ethical.

Re:

[LordEd]

I believe there have been a few viruses that attempt to do this. However, what gives you the right to invade somebody's PC even with good intentions? You are still cluttering the internet with your virus, and your virus is still using the system's resources to invade other systems.

If you don't write your virus properly, then it may not self terminate or have side effects that are worse than the initial infection (failed patching, CPU hog, destroy OS).

Re:

[OwnedByTwoCats]

I agree that this idea is old. I am becoming less convinced that this is a bad idea.

Given that (a) such a preventative virus locks the door behind itself, i.e. closes the security holes that it uses to propagate, and (b) the existance of said security holes, and exploitation of them by those with nefarious purposes, then much of the argument against a preventative virus go away. Yes, you are using resources without permission, but see the legal concept of "hazardous nuisence"; others were using the resour